Peaches Posted October 29, 2009 Report Share Posted October 29, 2009 28 October 2009, 14:09Free tool from Microsoft hardens programs against attack Microsoft has released a free tool for retroactively hardening applications against known attacks, without recompiling the program with a special compiler flag. The Enhanced Mitigation Evaluation Toolkit (EMET) allows developers and administrators to activate specific protection mechanisms in compiled binaries without requiring access to the source code. EMET is currently able to prevent or impede four attack techniques. Structured Exception Handler Overwrite Protection (SEHOP) aims to prevent (structured) exception handlers (SEH) from being overwritten on the stack or in the data segment. In contrast to overwriting return addresses using buffer overflows, in this attack scenario attackers execute their code by misdirecting function pointers. Further information can be found in the article " A Heap of Risk - Buffer overflows on the heap and how they are exploited" on The H Security. EMET impedes the currently popular attack method of heap spraying by simply allocating parts of the heap, thereby preventing an attacker from writing code to the desired location. Microsoft admits, however, that this does not offer complete protection and only defends against currently known attacks. EMET purports to be able to defend against null page allocation, which can be exploited in conjunction with null pointer dereferencing. Programming errors can result in pointers pointing to null when being dereferenced. For function pointers, this means pointing to the (virtual) address 0, which is usually allocated to userland, allowing a user to execute code with kernel privileges. Microsoft claims that this threat is currently theoretical only, but Linux kernel and FreeBSD developers recently stumbled upon precisely this problem. The FreeBSD development team resolved this by using a new function to prevent users from mapping code to address 0. More details at Heise security - http://www.h-online....ack-843914.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.